<!doctype html>
<html lang="en" data-color-mode="dark">
<head>
<meta charset="utf-8">
<title>Sysdig 备忘清单
 &#x26;  sysdig cheatsheet &#x26;  Quick Reference</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta description="该备忘单提供了使用 Sysdig 的常用命令参数和使用案例清单

入门，为开发人员分享快速参考备忘单。">
<meta keywords="sysdig,reference,Quick,Reference,cheatsheet,cheat,sheet">
<link rel="icon" href="data:image/svg+xml,%3Csvg%20viewBox%3D%220%200%2024%2024%22%20fill%3D%22none%22%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20height%3D%221em%22%20width%3D%221em%22%3E%20%3Cpath%20d%3D%22m21.66%2010.44-.98%204.18c-.84%203.61-2.5%205.07-5.62%204.77-.5-.04-1.04-.13-1.62-.27l-1.68-.4c-4.17-.99-5.46-3.05-4.48-7.23l.98-4.19c.2-.85.44-1.59.74-2.2%201.17-2.42%203.16-3.07%206.5-2.28l1.67.39c4.19.98%205.47%203.05%204.49%207.23Z%22%20fill%3D%22%23c9d1d9%22%2F%3E%20%3Cpath%20d%3D%22M15.06%2019.39c-.62.42-1.4.77-2.35%201.08l-1.58.52c-3.97%201.28-6.06.21-7.35-3.76L2.5%2013.28c-1.28-3.97-.22-6.07%203.75-7.35l1.58-.52c.41-.13.8-.24%201.17-.31-.3.61-.54%201.35-.74%202.2l-.98%204.19c-.98%204.18.31%206.24%204.48%207.23l1.68.4c.58.14%201.12.23%201.62.27Zm2.43-8.88c-.06%200-.12-.01-.19-.02l-4.85-1.23a.75.75%200%200%201%20.37-1.45l4.85%201.23a.748.748%200%200%201-.18%201.47Z%22%20fill%3D%22%23228e6c%22%20%2F%3E%20%3Cpath%20d%3D%22M14.56%2013.89c-.06%200-.12-.01-.19-.02l-2.91-.74a.75.75%200%200%201%20.37-1.45l2.91.74c.4.1.64.51.54.91-.08.34-.38.56-.72.56Z%22%20fill%3D%22%23228e6c%22%20%2F%3E%20%3C%2Fsvg%3E" type="image/svg+xml">
<link rel="stylesheet" href="../style/style.css">
<link rel="stylesheet" href="../style/katex.css">
</head>
<body><nav class="header-nav"><div class="max-container"><a href="../index.html" class="logo"><svg viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg" height="1em" width="1em">
  <path d="m21.66 10.44-.98 4.18c-.84 3.61-2.5 5.07-5.62 4.77-.5-.04-1.04-.13-1.62-.27l-1.68-.4c-4.17-.99-5.46-3.05-4.48-7.23l.98-4.19c.2-.85.44-1.59.74-2.2 1.17-2.42 3.16-3.07 6.5-2.28l1.67.39c4.19.98 5.47 3.05 4.49 7.23Z" fill="#c9d1d9"></path>
  <path d="M15.06 19.39c-.62.42-1.4.77-2.35 1.08l-1.58.52c-3.97 1.28-6.06.21-7.35-3.76L2.5 13.28c-1.28-3.97-.22-6.07 3.75-7.35l1.58-.52c.41-.13.8-.24 1.17-.31-.3.61-.54 1.35-.74 2.2l-.98 4.19c-.98 4.18.31 6.24 4.48 7.23l1.68.4c.58.14 1.12.23 1.62.27Zm2.43-8.88c-.06 0-.12-.01-.19-.02l-4.85-1.23a.75.75 0 0 1 .37-1.45l4.85 1.23a.748.748 0 0 1-.18 1.47Z" fill="#228e6c"></path>
  <path d="M14.56 13.89c-.06 0-.12-.01-.19-.02l-2.91-.74a.75.75 0 0 1 .37-1.45l2.91.74c.4.1.64.51.54.91-.08.34-.38.56-.72.56Z" fill="#228e6c"></path>
</svg>
<span class="title">Quick Reference</span></a><div class="menu"><a href="javascript:void(0);" class="searchbtn" id="searchbtn"><svg xmlns="http://www.w3.org/2000/svg" height="1em" width="1em" viewBox="0 0 18 18">
  <path fill="currentColor" d="M17.71,16.29 L14.31,12.9 C15.4069846,11.5024547 16.0022094,9.77665502 16,8 C16,3.581722 12.418278,0 8,0 C3.581722,0 0,3.581722 0,8 C0,12.418278 3.581722,16 8,16 C9.77665502,16.0022094 11.5024547,15.4069846 12.9,14.31 L16.29,17.71 C16.4777666,17.8993127 16.7333625,18.0057983 17,18.0057983 C17.2666375,18.0057983 17.5222334,17.8993127 17.71,17.71 C17.8993127,17.5222334 18.0057983,17.2666375 18.0057983,17 C18.0057983,16.7333625 17.8993127,16.4777666 17.71,16.29 Z M2,8 C2,4.6862915 4.6862915,2 8,2 C11.3137085,2 14,4.6862915 14,8 C14,11.3137085 11.3137085,14 8,14 C4.6862915,14 2,11.3137085 2,8 Z"></path>
</svg><span>搜索</span><span>⌘K</span></a><a href="https://github.com/jaywcjlove/reference/blob/main/docs/sysdig.md" class="" target="__blank"><svg viewBox="0 0 36 36" fill="currentColor" height="1em" width="1em"><path d="m33 6.4-3.7-3.7a1.71 1.71 0 0 0-2.36 0L23.65 6H6a2 2 0 0 0-2 2v22a2 2 0 0 0 2 2h22a2 2 0 0 0 2-2V11.76l3-3a1.67 1.67 0 0 0 0-2.36ZM18.83 20.13l-4.19.93 1-4.15 9.55-9.57 3.23 3.23ZM29.5 9.43 26.27 6.2l1.85-1.85 3.23 3.23Z"></path><path fill="none" d="M0 0h36v36H0z"></path></svg><span>编辑</span></a><button id="darkMode" type="button"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="currentColor" class="light" height="1em" width="1em">
  <path d="M6.995 12c0 2.761 2.246 5.007 5.007 5.007s5.007-2.246 5.007-5.007-2.246-5.007-5.007-5.007S6.995 9.239 6.995 12zM11 19h2v3h-2zm0-17h2v3h-2zm-9 9h3v2H2zm17 0h3v2h-3zM5.637 19.778l-1.414-1.414 2.121-2.121 1.414 1.414zM16.242 6.344l2.122-2.122 1.414 1.414-2.122 2.122zM6.344 7.759 4.223 5.637l1.415-1.414 2.12 2.122zm13.434 10.605-1.414 1.414-2.122-2.122 1.414-1.414z"></path>
</svg>
<svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" viewBox="0 0 24 24" class="dark" height="1em" width="1em">
  <path d="M12 11.807A9.002 9.002 0 0 1 10.049 2a9.942 9.942 0 0 0-5.12 2.735c-3.905 3.905-3.905 10.237 0 14.142 3.906 3.906 10.237 3.905 14.143 0a9.946 9.946 0 0 0 2.735-5.119A9.003 9.003 0 0 1 12 11.807z"></path>
</svg>
</button><script src="../js/dark.js?v=1.5.5"></script><a href="https://github.com/jaywcjlove/reference" class="" target="__blank"><svg viewBox="0 0 16 16" fill="currentColor" height="1em" width="1em"><path d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.012 8.012 0 0 0 16 8c0-4.42-3.58-8-8-8z"></path></svg></a></div></div></nav><div class="wrap h1body-exist max-container"><header class="wrap-header h1wrap"><h1 id="sysdig-备忘清单"><svg viewBox="0 0 256 317" xmlns="http://www.w3.org/2000/svg" height="1em" width="1em">
  <path d="M198.814 98.655a10.349 10.349 0 0 1 8.975 5.244l35.586 61.635c25.367 43.937 11.463 104.796-32.341 141.562a10.331 10.331 0 0 1-3.116 1.8 128.641 128.641 0 0 1-43.96 7.784c-39.453 0-76.278-18.462-94.807-50.556l-42.35-73.35a10.348 10.348 0 0 1 3.788-14.136l28.846-16.655a10.349 10.349 0 1 1 10.349 17.924L49.9 191.387l37.175 64.388c20.152 34.905 68.066 49.46 112.043 34.282 35.13-30.495 46.485-79.27 26.334-114.174l-35.586-61.635a10.349 10.349 0 0 1 8.948-15.593Zm-108.74 96.59c.12.216 6.66 11.866 12.895 22.894l.583 1.032c3.298 5.832 6.45 11.381 8.448 14.842 14.574 25.244 41.265 34.887 71.401 25.778 5.472-1.653 11.247 1.443 12.9 6.914 1.652 5.472-1.444 11.247-6.915 12.9a95.73 95.73 0 0 1-27.672 4.247 76.222 76.222 0 0 1-67.639-39.49 2209.073 2209.073 0 0 1-8.391-14.737l-.576-1.018-.577-1.022-.579-1.023-.578-1.023-.576-1.02a7893.27 7893.27 0 0 1-10.805-19.202c-2.782-4.993-.989-11.296 4.004-14.077 4.993-2.781 11.295-.988 14.077 4.005ZM19.272 5.105l122.265 211.771c3.335 5.774 12.789 15.683 24.682 11.845 5.44-1.754 11.272 1.235 13.025 6.675 1.753 5.44-1.236 11.272-6.676 13.025a38.083 38.083 0 0 1-11.719 1.875c-16.345 0-30.2-10.884-37.236-23.07L1.348 15.454C-1.455 10.51.253 4.23 5.176 1.388 10.098-1.454 16.39.206 19.272 5.106Zm89.756 60.963 29.135 50.463 18.53-10.7c4.945-2.812 11.234-1.105 14.078 3.821 2.845 4.927 1.18 11.226-3.729 14.103L139.55 139.63a10.35 10.35 0 0 1-4.812 1.381l-.364.006-.324-.005a10.35 10.35 0 0 1-8.637-5.169L91.104 76.417c-2.803-4.945-1.095-11.225 3.828-14.067 4.922-2.842 11.215-1.182 14.096 3.718Z" fill="currentColor"></path>
</svg>
<a aria-hidden="true" tabindex="-1" href="#sysdig-备忘清单"><span class="icon icon-link"></span></a>Sysdig 备忘清单</h1><div class="wrap-body">
<p>该备忘单提供了使用 <a href="https://sysdig.com/">Sysdig</a> 的常用命令参数和使用案例清单</p>
</div></header><div class="menu-tocs"><div class="menu-btn"><svg aria-hidden="true" fill="currentColor" height="1em" width="1em" viewBox="0 0 16 16" version="1.1" data-view-component="true">
  <path fill-rule="evenodd" d="M2 4a1 1 0 100-2 1 1 0 000 2zm3.75-1.5a.75.75 0 000 1.5h8.5a.75.75 0 000-1.5h-8.5zm0 5a.75.75 0 000 1.5h8.5a.75.75 0 000-1.5h-8.5zm0 5a.75.75 0 000 1.5h8.5a.75.75 0 000-1.5h-8.5zM3 8a1 1 0 11-2 0 1 1 0 012 0zm-1 6a1 1 0 100-2 1 1 0 000 2z"></path>
</svg></div><div class="menu-modal"><a aria-hidden="true" class="leve2 tocs-link" data-num="2" href="#入门">入门</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#命令安装">命令安装</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#常用参数">常用参数</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#输出含义">输出含义</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#chisels常用工具">chisels常用工具</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#命令帮助">命令帮助</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#捕获每个系统事件并将其写入标准输出">捕获每个系统事件并将其写入标准输出</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#自定义输出">自定义输出</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#抓取-kubernetes-pod-客户端-ip-的-udp-请求">抓取 kubernetes pod 客户端 ip 的 udp 请求</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#io案例">io案例</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#网络">网络</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#进程">进程</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#基本用法">基本用法</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#容器">容器</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#文件系统">文件系统</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#安全">安全</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#日志">日志</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#csysdig">CSysdig</a><a aria-hidden="true" class="leve2 tocs-link" data-num="2" href="#另见">另见</a></div></div><div class="h1wrap-body"><div class="wrap h2body-exist"><div class="wrap-header h2wrap"><h2 id="入门"><a aria-hidden="true" tabindex="-1" href="#入门"><span class="icon icon-link"></span></a>入门</h2><div class="wrap-body">
</div></div><div class="h2wrap-body"><div class="wrap h3body-not-exist col-span-2"><div class="wrap-header h3wrap"><h3 id="命令安装"><a aria-hidden="true" tabindex="-1" href="#命令安装"><span class="icon icon-link"></span></a>命令安装</h3><div class="wrap-body">
<!--rehype:wrap-class=col-span-2-->
<pre class="wrap-text"><code class="language-shell code-highlight"><span class="code-line"><span class="token function">sudo</span> <span class="token function">rpm</span> <span class="token parameter variable">--import</span> https://download.sysdig.com/DRAIOS-GPG-KEY.public  
</span><span class="code-line"><span class="token function">sudo</span> <span class="token function">curl</span> <span class="token parameter variable">-s</span> <span class="token parameter variable">-o</span> /etc/yum.repos.d/draios.repo https://download.sysdig.com/stable/rpm/draios.repo
</span><span class="code-line"><span class="token function">sudo</span> yum <span class="token parameter variable">-y</span> <span class="token function">install</span> sysdig
</span></code></pre>
<!--rehype:className=wrap-text-->
</div></div></div><div class="wrap h3body-not-exist row-span-2"><div class="wrap-header h3wrap"><h3 id="常用参数"><a aria-hidden="true" tabindex="-1" href="#常用参数"><span class="icon icon-link"></span></a>常用参数</h3><div class="wrap-body">
<!--rehype:wrap-class=row-span-2-->

























































<table class="show-header"><thead><tr><th align="left">参数</th><th align="left">说明</th></tr></thead><tbody><tr><td align="left"><code>-C 5</code></td><td align="left">每个文件不超过5M</td></tr><tr><td align="left"><code>-W 10</code></td><td align="left">保留不超过10个文件</td></tr><tr><td align="left"><code>-G 60</code></td><td align="left">每个文件只保留一分钟内的系统活动</td></tr><tr><td align="left"><code>-w  dump.pcap</code></td><td align="left">保存到文件</td></tr><tr><td align="left"><code>-e 1000</code></td><td align="left">每个文件只有1000个事件</td></tr><tr><td align="left"><code>-z</code></td><td align="left">参数对保存的内容进行压缩</td></tr><tr><td align="left"><code>-A --print-ascii</code></td><td align="left">把buffer中数据按照ASCII格式打印，方便阅读</td></tr><tr><td align="left"><code>-x --print-hex</code></td><td align="left">把buffer中数据按照十六进制打印</td></tr><tr><td align="left"><code>-X --printhex-ascii</code></td><td align="left">把buffer中数据同时按照ASCII格式和十六进制打印</td></tr><tr><td align="left"><code>-s 1024</code></td><td align="left">捕获buffer的数据大小，默认为80，设置过大，文件会很大</td></tr><tr><td align="left"><code>-N</code></td><td align="left">不用把端口号转成可读名字</td></tr><tr><td align="left"><code>-r</code></td><td align="left">从文件读取</td></tr></tbody></table>
<!--rehype:className=show-header-->
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="输出含义"><a aria-hidden="true" tabindex="-1" href="#输出含义"><span class="icon icon-link"></span></a>输出含义</h3><div class="wrap-body">









































<table class="show-header"><thead><tr><th align="left">事件</th><th align="left">说明</th></tr></thead><tbody><tr><td align="left"><code>evt.num</code></td><td align="left">递增的事件号</td></tr><tr><td align="left"><code>evt.time</code></td><td align="left">事件发生的时间</td></tr><tr><td align="left"><code>evt.cpu</code></td><td align="left">事件被捕获时所在cpu</td></tr><tr><td align="left"><code>proc.name</code></td><td align="left">生成事件的进程名字</td></tr><tr><td align="left"><code>thread.tid</code></td><td align="left">线程id，单线程则为进程id</td></tr><tr><td align="left"><code>evt.dir</code></td><td align="left">事件方向(direction), > 代表进入事件， &#x3C; 代表退出事件</td></tr><tr><td align="left"><code>evt.type</code></td><td align="left">事件的名称，比如open、stat等，一般为系统调用</td></tr><tr><td align="left"><code>evt.args</code></td><td align="left">事件的参数。如果为系统调用，则对应系统调用的参数</td></tr></tbody></table>
<!--rehype:className=show-header-->
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="chisels常用工具"><a aria-hidden="true" tabindex="-1" href="#chisels常用工具"><span class="icon icon-link"></span></a>chisels常用工具</h3><div class="wrap-body">













































<table class="show-header"><thead><tr><th align="left">事件</th><th align="left">说明</th></tr></thead><tbody><tr><td align="left"><code>httplog</code></td><td align="left">输出所有的http请求</td></tr><tr><td align="left"><code>topprocs_cpu</code></td><td align="left">输出按照cpu使用率排序</td></tr><tr><td align="left"><code>topprocs_net</code></td><td align="left">按照网络使用情况对进程排序</td></tr><tr><td align="left"><code>fdcount_by</code></td><td align="left">按照建立连接书对进程排序</td></tr><tr><td align="left"><code>echo_fds</code></td><td align="left">输出进程读写数据</td></tr><tr><td align="left"><code>netsata</code></td><td align="left">列出网络连接情况</td></tr><tr><td align="left"><code>spy_file</code></td><td align="left">输出文件的读写数据，可以提供某个文件名作为参数</td></tr><tr><td align="left"><code>spy_ip</code></td><td align="left">抓取给定ip的数据交换</td></tr><tr><td align="left"><code>spy_port</code></td><td align="left">抓取给定端口的数据交换</td></tr></tbody></table>
<!--rehype:className=show-header-->
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="命令帮助"><a aria-hidden="true" tabindex="-1" href="#命令帮助"><span class="icon icon-link"></span></a>命令帮助</h3><div class="wrap-body">
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">sysdig <span class="token parameter variable">-l</span>   <span class="token comment">#事件类型</span>
</span><span class="code-line">sysdig <span class="token parameter variable">-cl</span>  <span class="token comment">#chisels工具类型</span>
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="捕获每个系统事件并将其写入标准输出"><a aria-hidden="true" tabindex="-1" href="#捕获每个系统事件并将其写入标准输出"><span class="icon icon-link"></span></a>捕获每个系统事件并将其写入标准输出</h3><div class="wrap-body">
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist row-span-2"><div class="wrap-header h3wrap"><h3 id="自定义输出"><a aria-hidden="true" tabindex="-1" href="#自定义输出"><span class="icon icon-link"></span></a>自定义输出</h3><div class="wrap-body">
<!--rehype:wrap-class=row-span-2-->
<pre class="wrap-text"><code class="language-shell code-highlight"><span class="code-line">$ sysdig -p<span class="token string">"user:%user.name dir:%evt.arg.path"</span> <span class="token assign-left variable">evt.type</span><span class="token operator">=</span>chdir
</span><span class="code-line">user:ubuntu dir:/root
</span><span class="code-line">user:ubuntu dir:/root/tmp
</span><span class="code-line">user:ubuntu dir:/root/Download
</span></code></pre>
<!--rehype:className=wrap-text-->
<p>字段必须用 <code>%</code> 作为前缀，所有 <code>sysdig -l</code> 列出来的字段都可以使用
如果某个字段在时间中不存在，默认这个事件会过滤掉，在这个字符串最前面加上 <code>*</code> 符号，会打印所有事件，不存在的字段会变成 <code>&#x3C;NA></code></p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig -p<span class="token string">"*%evt.type %evt.dir %evt.arg.name"</span> <span class="token assign-left variable">evt.type</span><span class="token operator">=</span>open
</span><span class="code-line"><span class="token function">open</span> <span class="token operator">></span> <span class="token operator">&#x3C;</span>NA<span class="token operator">></span>
</span><span class="code-line"><span class="token function">open</span> <span class="token operator">&#x3C;</span> /proc/1285/task/1399/stat
</span><span class="code-line"><span class="token function">open</span> <span class="token operator">></span> <span class="token operator">&#x3C;</span>NA<span class="token operator">></span>
</span><span class="code-line"><span class="token function">open</span> <span class="token operator">&#x3C;</span> /proc/1285/task/1400/io
</span><span class="code-line"><span class="token function">open</span> <span class="token operator">></span> <span class="token operator">&#x3C;</span>NA<span class="token operator">></span>
</span><span class="code-line"><span class="token function">open</span> <span class="token operator">&#x3C;</span> /proc/1285/task/1400/statm
</span><span class="code-line"><span class="token function">open</span> <span class="token operator">></span> <span class="token operator">&#x3C;</span>NA<span class="token operator">></span>
</span></code></pre>
<!--rehype:className=wrap-text -->
</div></div></div><div class="wrap h3body-not-exist col-span-2"><div class="wrap-header h3wrap"><h3 id="抓取-kubernetes-pod-客户端-ip-的-udp-请求"><a aria-hidden="true" tabindex="-1" href="#抓取-kubernetes-pod-客户端-ip-的-udp-请求"><span class="icon icon-link"></span></a>抓取 <code>kubernetes pod</code> 客户端 <code>ip</code> 的 <code>udp</code> 请求</h3><div class="wrap-body">
<!--rehype:wrap-class=col-span-2-->
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line"><span class="token comment"># 列出容器监听端口</span>
</span><span class="code-line">$ <span class="token function">sudo</span> sysdig <span class="token parameter variable">-pc</span> <span class="token parameter variable">-A</span> <span class="token parameter variable">-c</span> <span class="token function">netstat</span> <span class="token assign-left variable">container.name</span><span class="token operator">=</span>aaa
</span><span class="code-line">
</span><span class="code-line"><span class="token comment"># 抓取kubernetes pod 的客户端ip为172.119.100.16，3000端口的的请求内容</span>
</span><span class="code-line">$ <span class="token function">sudo</span> sysdig <span class="token parameter variable">-A</span> <span class="token parameter variable">-c</span> echo_fds  k8s.pod.name contains datacenter-web-dev  and <span class="token assign-left variable">fd.port</span><span class="token operator">=</span><span class="token number">3000</span> and <span class="token assign-left variable">evt.type</span><span class="token operator">=</span>read and <span class="token assign-left variable">fd.cip</span><span class="token operator">=</span><span class="token number">172.119</span>.100.16 <span class="token assign-left variable">fd.proto</span><span class="token operator">=</span>UDP
</span><span class="code-line">
</span><span class="code-line"><span class="token comment"># 按照建立连接数量对进程排序 并保存到sysdig.pcap文件中</span>
</span><span class="code-line">$ sysdig  <span class="token parameter variable">-c</span> fdcount_by fd.sport <span class="token string">"evt.type=accept"</span>  <span class="token parameter variable">-w</span> sysdig.pcap
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>抓取 <code>kubernetes pod</code> 客户端 <code>ip</code> 为 <code>172.119.100.16</code> 的 <code>udp</code> 请求</p>
</div></div></div><div class="wrap h3body-not-exist row-span-3"><div class="wrap-header h3wrap"><h3 id="io案例"><a aria-hidden="true" tabindex="-1" href="#io案例"><span class="icon icon-link"></span></a>io案例</h3><div class="wrap-body">
<!--rehype:wrap-class=row-span-3-->
<p>查看 io 错误最多的进程</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> topprocs_errors
</span></code></pre>
<p>查看io错误最多的文件</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> topfiles_errors
</span></code></pre>
<p>查看磁盘io失败的调用</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token assign-left variable">fd.type</span><span class="token operator">=</span>file and <span class="token assign-left variable">evt.failed</span><span class="token operator">=</span>true
</span></code></pre>
<p>查看httpd打开失败的文件</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token string">"proc.name=httpd and evt.type=open and evt.failed=true"</span>
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>查看最花费时间的系统调用</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> topscalls_time
</span></code></pre>
<p>查看系统调用失败返回最多的系统调用</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> topscalls <span class="token string">"evt.failed=true"</span>
</span></code></pre>
<p>查看打开文件失败</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-p</span> <span class="token string">"%12user.name %6proc.pid %12proc.name %3fd.num %fd.typechar %fd.name"</span> <span class="token assign-left variable">evt.type</span><span class="token operator">=</span>open and <span class="token assign-left variable">evt.failed</span><span class="token operator">=</span>true
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>打印延迟大于1ms的文件I/O调用</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> fileslower <span class="token number">1</span>
</span></code></pre>
<p>查看使用硬盘带宽最多的进程</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> topprocs_file
</span></code></pre>
<p>列出大量使用文件描述符的进程</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> fdcount_by proc.name <span class="token string">"fd.type=file"</span>
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>查看读写bytes最多的文件</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> topfiles_bytes
</span></code></pre>
<p>打印httpd进程已经读取中和写入中的文件</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> topfiles_bytes <span class="token assign-left variable">proc.name</span><span class="token operator">=</span>httpd
</span></code></pre>
<p>基本 opensnoop:snoop 文件在发生时打开</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-p</span> <span class="token string">"%12user.name %6proc.pid %12proc.name %3fd.num %fd.typechar %fd.name"</span> <span class="token assign-left variable">evt.type</span><span class="token operator">=</span>open
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>查看活跃中的读和写最多的目录</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">sysdig <span class="token parameter variable">-c</span> fdbytes_by fd.directory <span class="token string">"fd.type=file"</span>
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>查看目录/tmp活跃中的读写最多的文件</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">sysdig <span class="token parameter variable">-c</span> fdbytes_by fd.filename <span class="token string">"fd.directory=/tmp/"</span>
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>查看所有文件名为passwd的i/O活动</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">sysdig <span class="token parameter variable">-A</span> <span class="token parameter variable">-c</span> echo_fds <span class="token string">"fd.filename=passwd"</span>
</span></code></pre>
<p>展示FD类型的活跃I/O</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">sysdig <span class="token parameter variable">-c</span> fdbytes_by fd.type
</span></code></pre>
<!--rehype:className=wrap-text -->
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="网络"><a aria-hidden="true" tabindex="-1" href="#网络"><span class="icon icon-link"></span></a>网络</h3><div class="wrap-body">
<p>抓取 <code>kubernetes pod</code> 的客户端 <code>ip</code> 为 <code>172.119.100.17</code>，<code>3000</code> 端口的的请求内容</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ <span class="token function">sudo</span> sysdig <span class="token parameter variable">-A</span> <span class="token parameter variable">-c</span> echo_fds  k8s.pod.name contains datacenter-web-dev  and <span class="token assign-left variable">fd.port</span><span class="token operator">=</span><span class="token number">3000</span> and <span class="token assign-left variable">evt.type</span><span class="token operator">=</span>read and <span class="token assign-left variable">fd.cip</span><span class="token operator">=</span><span class="token number">172.119</span>.100.17 <span class="token assign-left variable">fd.proto</span><span class="token operator">=</span>UDP
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>查看占用网络带宽最多的进程</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> topprocs_net
</span><span class="code-line"><span class="token comment">#显示主机192.168.0.1的网络传输数据</span>
</span><span class="code-line"><span class="token comment">#作为二进制：</span>
</span><span class="code-line">$ sysdig <span class="token parameter variable">-s2000</span> <span class="token parameter variable">-X</span> <span class="token parameter variable">-c</span> echo_fds <span class="token assign-left variable">fd.cip</span><span class="token operator">=</span><span class="token number">192.168</span>.0.1
</span><span class="code-line"><span class="token comment">#作为 ASCII：</span>
</span><span class="code-line">$ sysdig <span class="token parameter variable">-s2000</span> <span class="token parameter variable">-A</span> <span class="token parameter variable">-c</span> echo_fds <span class="token assign-left variable">fd.cip</span><span class="token operator">=</span><span class="token number">192.168</span>.0.1
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>查看连接最多的服务器端口</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line"><span class="token comment">#在已建立的连接方面：</span>
</span><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> fdcount_by fd.sport <span class="token string">"evt.type=accept"</span>
</span><span class="code-line"><span class="token comment">#就总字节数而言：</span>
</span><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> fdbytes_by fd.sport
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>查看客户端连接最多的ip</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line"><span class="token comment">#在已建立的联系方面</span>
</span><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> fdcount_by fd.cip <span class="token string">"evt.type=accept"</span>
</span><span class="code-line"><span class="token comment">#就总字节数而言</span>
</span><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> fdbytes_by fd.cip
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>列出所有不是访问apache服务的访问连接</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig -p<span class="token string">"%proc.name %fd.name"</span> <span class="token string">"evt.type=accept and proc.name!=httpd"</span>
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>显示 wordpress1 容器在端口 80 上发送和接收的数据：</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-A</span> <span class="token parameter variable">-cecho_fds</span> <span class="token assign-left variable">container.name</span><span class="token operator">=</span>wordpress1 and <span class="token assign-left variable">fd.port</span><span class="token operator">=</span><span class="token number">80</span>
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>实时打印 <code>mysql</code> 容器接收的所有新连接</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig -p<span class="token string">"%fd.name"</span> <span class="token assign-left variable">container.name</span><span class="token operator">=</span>mysql and <span class="token assign-left variable">evt.type</span><span class="token operator">=</span>accept
</span></code></pre>
<!--rehype:className=wrap-text -->
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="进程"><a aria-hidden="true" tabindex="-1" href="#进程"><span class="icon icon-link"></span></a>进程</h3><div class="wrap-body">
<p>查看哪些文件花费时间做多</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> topfiles_time
</span></code></pre>
<p>查看httpd进程哪些文件花费最多时间</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> topfiles_time <span class="token assign-left variable">proc.name</span><span class="token operator">=</span>httpd
</span></code></pre>
<p>查看io错误最多的进程</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> topprocs_errors
</span></code></pre>
<p>查看io错误最多的文件</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> topfiles_errors
</span></code></pre>
<p>查看磁盘io失败的调用</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token assign-left variable">fd.type</span><span class="token operator">=</span>file and <span class="token assign-left variable">evt.failed</span><span class="token operator">=</span>true
</span></code></pre>
<p>查看httpd打开失败的文件</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token string">"proc.name=httpd and evt.type=open and evt.failed=true"</span>
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>查看最花费时间的系统调用</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> topscalls_time
</span></code></pre>
<p>查看系统调用失败返回最多的系统调用</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> topscalls <span class="token string">"evt.failed=true"</span>
</span></code></pre>
<p>查看打开文件失败</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-p</span> <span class="token string">"%12user.name %6proc.pid %12proc.name %3fd.num %fd.typechar %fd.name"</span> <span class="token assign-left variable">evt.type</span><span class="token operator">=</span>open and <span class="token assign-left variable">evt.failed</span><span class="token operator">=</span>true
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>打印延迟大于1ms的文件I/O调用</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> fileslower <span class="token number">1</span>
</span></code></pre>
<!--rehype:className=wrap-text -->
</div></div></div><div class="wrap h3body-not-exist row-span-2"><div class="wrap-header h3wrap"><h3 id="基本用法"><a aria-hidden="true" tabindex="-1" href="#基本用法"><span class="icon icon-link"></span></a>基本用法</h3><div class="wrap-body">
<!--rehype:wrap-class=row-span-2-->
<p>将事件捕获到跟踪文件以供以后分析</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig –w myfile.scap
</span></code></pre>
<p>从跟踪文件中读取事件</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig –r myfile.scap
</span></code></pre>
<p>根据特定字段过滤事件</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token assign-left variable">proc.name</span><span class="token operator">=</span>httpd and evt.type<span class="token operator">!=</span>open
</span></code></pre>
<p>运行凿子以获得高级功能</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> topprocs_cpu
</span></code></pre>
<p>列出所有可用字段</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-l</span>
</span></code></pre>
<p>列出所有可用的凿子</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-cl</span>
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="容器"><a aria-hidden="true" tabindex="-1" href="#容器"><span class="icon icon-link"></span></a>容器</h3><div class="wrap-body">
<p>查看具有容器上下文的进程列表</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-pc</span>
</span></code></pre>
<p>查看 <code>wordpress1</code> 容器中运行的进程的CPU使用率</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-pc</span> <span class="token parameter variable">-c</span> topprocs_cpu <span class="token assign-left variable">container.name</span><span class="token operator">=</span>wordpress1
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>查看对基于 <code>Kubernetes</code> 的 <code>mySQL</code> 服务发出的热门 <code>HTTP</code> 请求</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-k</span> http://127.0.0.1:8080 <span class="token parameter variable">-c</span> httptop <span class="token assign-left variable">k8s.svc.name</span><span class="token operator">=</span>mysql
</span></code></pre>
<!--rehype:className=wrap-text -->
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="文件系统"><a aria-hidden="true" tabindex="-1" href="#文件系统"><span class="icon icon-link"></span></a>文件系统</h3><div class="wrap-body">
<p>列出使用最多文件数的进程</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> fdcount_by proc.name <span class="token string">"fd.type=file"</span>
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>观察名为“passwd”的所有文件的 I/O 活动</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-A</span> <span class="token parameter variable">-c</span> echo_fds <span class="token string">"fd.filename=passwd"</span>
</span></code></pre>
<!--rehype:className=wrap-text -->
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="安全"><a aria-hidden="true" tabindex="-1" href="#安全"><span class="icon icon-link"></span></a>安全</h3><div class="wrap-body">
<p>显示 <code>root</code> 访问的目录</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-p</span> <span class="token string">"%evt.arg.path"</span> <span class="token string">"evt.type=chdir and user.name=root"</span>
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>观察 <code>ssh</code> 活动</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-A</span> <span class="token parameter variable">-c</span> echo_fds <span class="token assign-left variable">fd.name</span><span class="token operator">=</span>/dev/ptmx and <span class="token assign-left variable">proc.name</span><span class="token operator">=</span>sshd
</span></code></pre>
<!--rehype:className=wrap-text -->
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="日志"><a aria-hidden="true" tabindex="-1" href="#日志"><span class="icon icon-link"></span></a>日志</h3><div class="wrap-body">
<p>显示来自 python 的所有系统日志消息</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> spy_syslog <span class="token assign-left variable">proc.name</span><span class="token operator">=</span>python
</span></code></pre>
<p>超尾系统中的所有日志文件</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> spy_logs
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="csysdig"><a aria-hidden="true" tabindex="-1" href="#csysdig"><span class="icon icon-link"></span></a>CSysdig</h3><div class="wrap-body">
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ csysdig <span class="token parameter variable">-m</span> http://127.0.0.1:8080
</span></code></pre>
<p>使用 Mesos 元数据运行 Csysdig，Sysdig 基于 curses 的 UI</p>
</div></div></div></div></div><div class="wrap h2body-not-exist"><div class="wrap-header h2wrap"><h2 id="另见"><a aria-hidden="true" tabindex="-1" href="#另见"><span class="icon icon-link"></span></a>另见</h2><div class="wrap-body">
<ul>
<li><a href="https://github.com/draios/sysdig/wiki">sysdig wiki</a> <em>(github.com)</em></li>
<li><a href="https://sysdig.com/">sysdig 官网</a> <em>(sysdig.com)</em></li>
<li><a href="https://sysdig.com/blog/linux-troubleshooting-cheatsheet/">Linux 故障排除速查表：strace、htop、lsof、tcpdump、iftop 和 sysdig</a> <em>(sysdig.com)</em></li>
</ul>
</div></div><div class="h2wrap-body"></div></div></div><script src="https://giscus.app/client.js" data-repo="jaywcjlove/reference" data-repo-id="R_kgDOID2-Mw" data-category="Q&#x26;A" data-category-id="DIC_kwDOID2-M84CS5wo" data-mapping="pathname" data-strict="0" data-reactions-enabled="1" data-emit-metadata="0" data-input-position="bottom" data-theme="dark" data-lang="zh-CN" crossorigin="anonymous" async></script><div class="giscus"></div></div><footer class="footer-wrap"><footer class="max-container">© 2022 <a href="https://wangchujiang.com/#/app" target="_blank">Kenny Wang</a>.</footer></footer><script src="../data.js?v=1.5.5" defer></script><script src="../js/fuse.min.js?v=1.5.5" defer></script><script src="../js/main.js?v=1.5.5" defer></script><div id="mysearch"><div class="mysearch-box"><div class="mysearch-input"><div><svg xmlns="http://www.w3.org/2000/svg" height="1em" width="1em" viewBox="0 0 18 18">
  <path fill="currentColor" d="M17.71,16.29 L14.31,12.9 C15.4069846,11.5024547 16.0022094,9.77665502 16,8 C16,3.581722 12.418278,0 8,0 C3.581722,0 0,3.581722 0,8 C0,12.418278 3.581722,16 8,16 C9.77665502,16.0022094 11.5024547,15.4069846 12.9,14.31 L16.29,17.71 C16.4777666,17.8993127 16.7333625,18.0057983 17,18.0057983 C17.2666375,18.0057983 17.5222334,17.8993127 17.71,17.71 C17.8993127,17.5222334 18.0057983,17.2666375 18.0057983,17 C18.0057983,16.7333625 17.8993127,16.4777666 17.71,16.29 Z M2,8 C2,4.6862915 4.6862915,2 8,2 C11.3137085,2 14,4.6862915 14,8 C14,11.3137085 11.3137085,14 8,14 C4.6862915,14 2,11.3137085 2,8 Z"></path>
</svg><input id="mysearch-input" type="search" placeholder="搜索" autocomplete="off"><div class="mysearch-clear"></div></div><button id="mysearch-close" type="button">搜索</button></div><div class="mysearch-result"><div id="mysearch-menu"></div><div id="mysearch-content"></div></div></div></div></body>
</html>
